Transparency information

Dovetail Digital Ltd ("Dovetail" or "the Company") keeps limited personal data about patients and the public. When a person signs up to use our service or mobile application, we store their name, address, contact details and NHS number in order to identify them and provide our service and customer support.

Our service facilitates the movement of patient data from one place to another if the patient has given their explicit consent for this to take place. We do not store the data we transport but we do store a record of where it was sent from, e.g. your GP, and where it was sent to, e.g. a private hospital or a digital health application.

Rights

All data subjects (an individual to whom personal data relates) have the following qualified rights:

The right to rectification if the information held is inaccurate or incomplete

The right to restrict processing and/or erasure of personal data

The right to data portability

The right to object to processing

The right to object to automated decision making and profiling

The right to complain to the Information Commissioner’s Office (ICO)

In addition, individuals can request access to the personal data held about them.

Data subjects are able to make a data subject access request, or other access requests by emailing the DPO directly or [email protected]

We will respond to all rights access requests within the GDPR-required one month period.

Obligations

To comply with the law, information must be collected and used fairly, stored and not transferred to any other person unlawfully. This is captured in the data protection principles set out by GDPR. Those handling personal data must comply with these principles.

Personal data shall:

Be obtained, processed and used fairly, lawfully and transparently

Be collected for specified, explicit and legitimate purposes and not processed for any other purpose
relation to the purposes for which they are processed in
Be adequate, relevant and limited to what is necessary
Be accurate and, where necessary, kept up to date
Be kept for no longer than is necessary
Be protected by appropriate security measures to prevent loss or unauthorised access
In addition, personal data should not be transferred outside of the European Economic Area. In cases where this may be necessary, please seek the advice of the Data Protection Officer.

Third Party data processing

We use a third-party software vendor to do Know Your Customer or Identity Checks when you first sign up to use our service/mobile application. This involves taking a photograph of your identification documents and a selfie photograph which are matched. This data will be deleted as soon as the software has confirmed the identity of the person. A service level agreement with appropriate safeguards is in place.

Roles and responsibilities

Senior management have oversight of data protection matters at the company, with a reporting line through to the Board of Directors

The Data Protection Officer is the designated company contact for all matters related to data protection and first point of contact with the regulator (Information Commissioner’s Office).